Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate - Malware Signed with Nexaweb Certificate
2025-05-24 • Ahnlab •
ASEC reports that Larva-25004, a cluster related to Kimsuky activity, used malware signed with a Nexaweb Inc. certificate. Two SCR files, including a job-description-themed sample, were signed in May 2024 with certificate serial 0315e137a6e2d658f07af454c63a0af2. Execution displays an employment-related PDF lure, and ASEC assesses from the bait content that the likely audience may include people interested in defense-company jobs. The certificate observed on these two malware files was not found signing other files in ASEC's review, while a previously used Nexaweb certificate did not show malware in the checked set.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | aa8936431f7bc0fabb0b9efb6ea153f9 | 2024-06-19 | 2025-05-30 |
| HASH | 28ce4d33e7994c2be95816eea5773ed1 | 2025-05-22 | 2025-05-24 |
| HASH | 0315e137a6e2d658f07af454c63a0af2 | 2024-08-24 | 2025-05-24 |
| HASH | 73d2899aade924476e58addf26254c2e | 2024-06-19 | 2025-05-24 |
Related Actors
Related Reports
Shares tags: Larva-25004, Nexaweb • Shares 4 IOCs • Same author: Ahnlab • Published within a week
Shares tag: Larva-25004 • Same author: Ahnlab
Shares tag: Larva-25004 • Same author: Ahnlab
Shares tag: Nexaweb • Shares 2 IOCs
2024-06-19 •
40% Match
#Kimsuky
#Niki
#Nexaweb
#T1082
#T1041
#T1113
#T1027
#T1071
#T1204
#T1566
#T1547
Shares tag: Nexaweb • Shares 2 IOCs
Shares 1 IOC • Published within a week